Cross-Site Request Forgery (CSRF)

strawberrygraphql is vulnerable to cross-site request forgery CSRF. The vulnerability is due to the default configuration of the Strawberry GraphQL library, which allows multipart file upload support without proper CSRF protection and exempted the integration from Django's built-in CSRF safeguard...

CVE-2024-3127 Improper Access Control in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL...

Exploit for CVE-2021-4191

This repository contains a collection of exploits and proof-of-concept POC code for various vulnerabilities, including a high-severity vulnerability in Android versions 12 and 13 CVE-2024-0044, an unauthenticated remote command execution RCE vulnerability in BYOB Build Your Own Botnet v2.0.0, and...

0xsodium (>=0.0.0 <=1.48.0), 3extensions (=1.0.1) +967 more potentially affected by CVE-2023-26144 via graphql (>=16.3.0 <=16.8.0)

graphql NPM version =16.3.0, =0.0.0, =0.0.1, =0.0.0, =0.0.0, =0.0.1, =1.16.13, =1.8.5, =1.1.12, =1.6.23, =1.16.6, =1.1.12, =1.8.5, =1.16.33, =1.0.0, =1.17.12-beta-20260420-075606-d7d7a9c7 and more Source cves: CVE-2023-26144 Source advisory: OSV:GHSA-9PV7-VFVM-6VR7...

0xsodium (>=0.0.0 <=1.48.0), 3extensions (=1.0.1) +967 more potentially affected by CVE-2023-26144 via graphql (>=16.3.0 <=16.8.0)

graphql NPM version =16.3.0, =0.0.0, =0.0.1, =0.0.0, =0.0.0, =0.0.1, =1.16.13, =1.8.5, =1.1.12, =1.6.23, =1.16.6, =1.1.12, =1.8.5, =1.16.33, =1.0.0, =1.17.12-beta-20260420-075606-d7d7a9c7 and more Source cves: CVE-2023-26144 Source advisory: SNYK:JS-GRAPHQL-5905181...

CVE-2022-41876 ezplatform-graphql GraphQL queries can expose password hashes

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or...

apollo-gateway-rs (>=0.7.5 <=0.7.6), aqlgen (>=0.1.0 <=0.8.0) +61 more potentially affected by unknown CVE via async-graphql (>=1.13.4 <=4.0.16)

async-graphql CARGO version =1.13.4, =0.7.5, =0.1.0, =0.1.0, =0.1.0, =0.0.1-alpha+3, =0.1.0, =2.9.13, =0.1.0-beta.0, =2.9.12, =0.2.0, =1.14.10, =0.1.0, =1.0.0, =4.0.16 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XQ3C-8GQM-V648...

UBUNTU-CVE-2022-0172

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones...

Shopify: Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all

I am reporting this because it looks like an authorization bug in GraphQL. A Staff member with no permissions on a Shopify Store may be able to create Webhooks with the webhookSubscriptionCreate mutation on BULKOPERATIONSFINISH webhook topic. POST...

CVE-2021-21027

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are affected by a cross-site request forgery CSRF vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the...

@anacoelhovicente/primecore (=0.3.4-beta.1-webhook), @axonish/core (>=0.2.0 <=0.3.0) +29 more potentially affected by unknown CVE via type-graphql (>=0.12.3 <=0.17.5)

type-graphql NPM version =0.12.3, =0.2.0, =0.0.2, =1.0.0, =1.0.0, =0.0.5, =0.0.1, =0.0.0-4d6c2e0, =0.1.0, =0.3.0-alpha.1, =0.0.1, =5.2.0, =0.0.1, =0.0.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XF64-2F9P-6PQQ...

HackerOne: Email address of any user can be queried on Report Invitation GraphQL type when username is known

Summary: Email id of all hackerone users disclosure Description: There is an flaw , with that i can get all hackerone users email id Steps To Reproduce 1. Invoke the below graphql call POST /graphql HTTP/1.1 "query":"mutation Revokecredentialmutation$input0:AddReportParticipantInput!...